5251 |
2021-02-18 17:45
|
DEOappfYsSq5C13.exe f02bd49ed33a2243d71bb1bbe592f39b VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5252 |
2021-02-18 17:46
|
cmd2.exe b32efdfbbda064434979296814e8875f FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
5
http://www.xn--oi2b190cymc.com/bw82/?uRipW=7nGxC&FTChTb7=u3mIEO7S2jpcCNzGap3V7GnWoZ6byXdDGQc9TZtHwlHE0/S/m+Ek+z3BS3DZiW4dRqN2gVn1 - rule_id: 178 http://www.xn--oi2b190cymc.com/bw82/ - rule_id: 178 http://www.exlineinsurance.com/bw82/?uRipW=7nGxC&FTChTb7=BmIsBEloLc/PpxxxkqeO/+wp1eRqaF5UDtwx0wOakOw3DMvjZvU2EPbm5c7g7p6k7NfDBGcL - rule_id: 179 http://www.gmobilet.com/bw82/ http://www.exlineinsurance.com/bw82/ - rule_id: 179
|
11
www.exlineinsurance.com(182.50.132.242) - mailcious www.xn--oi2b190cymc.com(112.175.185.27) - mailcious www.climaxnovels.com(34.102.136.180) - mailcious www.ramjamdee.com(34.102.136.180) - mailcious www.gmobilet.com(104.160.174.190) - mailcious www.twistedtailgatesweeps1.com(184.168.131.241) - mailcious 34.102.136.180 - mailcious 112.175.185.27 - mailcious 184.168.131.241 - mailcious 182.50.132.242 - mailcious 104.160.174.190
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
4
http://www.xn--oi2b190cymc.com/bw82/ http://www.xn--oi2b190cymc.com/bw82/ http://www.exlineinsurance.com/bw82/ http://www.exlineinsurance.com/bw82/
|
10.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5253 |
2021-02-18 17:59
|
document.doc 4261ec0a9edda9561c4dda5d8da7f98d FormBook Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://www.rizrvd.com/bw82/?CnaDl=AJ+QNFfrOFbXfaBH3oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPArp20lyvTn0sGIZMgptI&DxlLi=2dmX - rule_id: 170 http://www.rizrvd.com/bw82/ - rule_id: 170
|
5
www.rizrvd.com(34.102.136.180) - mailcious www.illfingers.com(162.241.217.138) - mailcious 162.241.217.138 - mailcious 34.102.136.180 - mailcious 65.0.55.192 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
2
http://www.rizrvd.com/bw82/ http://www.rizrvd.com/bw82/
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5254 |
2021-02-18 17:59
|
dxmanx.exe e1fad87e847735c141f999d5b024080d VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://185.239.242.107/base/E7F1A17AB07A675B9B97A676DDD26130.html - rule_id: 263 http://185.239.242.107/base/5D6C633E69FA50F58B40E7ED6CC7A014.html - rule_id: 263
|
1
185.239.242.107 - mailcious
|
|
2
http://185.239.242.107/base/ http://185.239.242.107/base/
|
12.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5255 |
2021-02-18 18:10
|
EWC.exe d9a30d4715edbd7428d377872b0f49a0 VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
2.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5256 |
2021-02-18 18:10
|
edi.js 5f82fde65dfd751c2b602541e36ae6d7 Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI heapspray Creates shortcut ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VM Disk Size Check installed browsers check Windows Java Browser Email ComputerName DNS Cryptographic key DDNS keylogger |
|
6
augustair.com(206.130.99.140) - malware google.com(172.217.175.14) jimmy101.myq-see.com(162.251.123.194) - mailcious 162.251.123.194 206.130.99.140 - malware 216.58.199.14 - mailcious
|
3
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding ET INFO Observed DNS Query to .myq-see .com DDNS Domain ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
|
|
21.4 |
M |
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5257 |
2021-02-18 18:32
|
higLyd1z5fHwrWa.exe 9b4d73ebe99774a232e29b43ee1e96d4 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
10.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5258 |
2021-02-18 18:32
|
huaa.msi 9155b960719fa978d1a26c54a5897cdd VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
|
|
|
2.8 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5259 |
2021-02-18 18:37
|
huaa.pdf.exe 879951cddad7add207ee8ed634e4247a VirusTotal Malware Check memory RWX flags setting unpack itself |
|
|
|
|
1.4 |
M |
3 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5260 |
2021-02-18 18:37
|
ICcVhvdlUe6FdY2.exe c5593207f9e831b1727fcf584f229a73 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.6 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5261 |
2021-02-18 18:40
|
jooo.exe 19f3a1669176c3126ae4f89832ea265e VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself |
|
|
|
|
3.0 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5262 |
2021-02-18 18:41
|
M9hXhq8tCvts4NK.exe 6b7415c987b1bc9ded11a5af9ddbf403 VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.6 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5263 |
2021-02-18 18:44
|
MLU.exe 30463b0e753ea65c33791f701f68bf9f VirusTotal Malware RWX flags setting unpack itself DNS |
|
|
|
|
2.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5264 |
2021-02-18 18:44
|
maxs.exe e461c46a2ae8137c347fcb895c6bddf0 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://185.239.242.107/base/F877518494A88142C918652019EF505B.html - rule_id: 263 https://api.ipify.org/
|
3
api.ipify.org(23.21.126.66) 23.21.126.66 185.239.242.107 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.239.242.107/base/
|
14.6 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5265 |
2021-02-18 21:23
|
hello.exe f146529e51a359d892943fe6da8cbbea VirusTotal Malware WriteConsoleW |
|
|
|
|
1.4 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|